The week in security: Malware growth leaves Australian CIOs unprepared

CIOs may only have glimpses of the future of mobile security, but security firm Bitdefender believes one of the recurring issues will be the continued channelling of private information even from paid-for apps in the Android Play app store. That’s a more immediate but no less worrying threat than a targeted Android attack against Uyghur activists, discovered by Kaspersky Lab security analysts and reflective of a growing Android malware profile that’s being addressed by the release of tools like AVG’s free new ‘TuneUp’ app.

Tapping into skilled students’ hacking abilities has become an increasingly popular practice. Melbourne’s Deakin University and Sydney’s Macquarie University, for example, have partnered with Trend Micro to develop and test big-data analysis techniques to better understand the cybersecurity threats facing Australian companies. And the US National Security Agency has tried an interesting approach by pitting its top hackers against university-age security enthusiasts from three top-tier military academies. Whether or not their collective minds will be able to improve the detection of and response to sneaky malware like the new Win32/Nemim.gen!A – which hides key files to avoid detection and analysis – is yet to be seen.

Some security technologies are proving problematic all on their own, with around half of online shoppers often prevented from completing online purchases because they can’t get their security credentials to work. Maybe they need to look at brain-powered passwords, or simply find a better authentication provider in a field that’s become more powerful with the release of a white-label authentication solution for Australian service providers.

Some law-enforcement authorities were suggesting the Find My Mac feature of Apple’s OS X lacks enough information to enable legal recovery of the device, while analysis of a hack of supermarket chain Schnucks found it took the company two weeks to find out how credit and debit card information on up to 2.4 million customers had been compromised.

Another analysis found malware that’s targeting online share trading software, while a new variant of the Gozi banking Trojan infects a computer’s Master Boot Record (MBR) to confound its removal. Aiming to confound malware targeted at financial-services targets, a Cambridge University spinoff has developed a new form of protection against ‘man-in-the-browser’ Trojan attacks, with a mobile device-based visual image security system to improve authentication.

In this and other cases it’s important to keep an open mind: many companies are in denial about the insider threat to data security, a new survey said, with nearly half of UK employers trusting their workers not to steal company information. But you don’t have to be a big business to get compromised: a Symantec study found that cyber-criminals are increasingly targeting vulnerable small businesses as easy prey. Others, though, continue to aim higher – and, as one 21-year-old British hackerand the co-founder of Pirate Bay found out, sometimes getting caught for it.

Caught or not, some attacks are starting to resemble bank heists – which has security experts worried. Many data centre providers are seeking to fill in the gaps with strong security nous, but there’s no need to even go out the door to find potential problems: an analysis of 13 popular home and small-office routers found critical security vulnerabilities.

Doubly so in Australia where, a survey found, CIOs feel broadly unprepared to deal with cyber attacks and aren’t always sure about the best ways to clinch security funding. That’s a problem, since the only way is up: a study from HP’s new HP Security Research (HPSR) organisation found that vulnerabilities were up nearly 20% since last year, while DDoS fighter Prolexic released figures suggesting DDoS attacks are up this year in both number and size. Worse still, many customers are finding network security technologies ineffective, according to a new Ponemon Institute report.

Even gaming machines aren’t free from problems, with one gaming-software developer moving to fix some identified flaws. Yet Oracle eclipsed even that number by shipping 128 patches covering security weaknesses across “hundreds” of its products. A new version of Java included 42 security fixes alone, and changed the way Web-based Java content will be presented inside Web browsers, while a new technical security standard is aiming at higher-level applications with an effort to improve supply-chain safety.

Even as the US government prepared to vote on, and eventually passed, the CISPA cyberthreat bill, one of its sponsors created a social-media storm by suggesting many of the opponents to the law are 14-year-olds in their basements.

Whether or not he’s right, basement-bound 14-year-olds might intuitively be able to answer a question answered by more formal research: how much malware is there, really, on free pornography sites? Some sites are remarkably free from the nasties, although one Russian porn site has been delivering malware that uses victims’ computers to mine bitcoins.

Anti-spam efforts scored a small victory after antispam vendor Cloudmark found that gift-card SMS spam had dropped after action by the US Federal Trade Commission against eight companies.

US Secretary of State John Kerry said cyber-defences will be crucial to ensuring security in the Asian region, while EU regulators were paying attention to open DNS resolvers after last month’s Spamhaus DDoS attacks, which EU security agency ENISA pinned on ISPs having ignored decade-old recommendations on limiting false IP traffic.

Meanwhile, Microsoft moved towards optional two-factor authentication and, announcing that browsers are the biggest security threats to enterprises, is developing a new client-side architecture called Embassies, which is designed to improve Web application security using Internet addresses for external communications.

Speaking of browser security: Apple has kept patching its Java version for the popular Snow Leopard operating system, even as it was revealed the next major version of Java – Java 8 – has been pushed back into the first quarter of 2014.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCambridge UniversityCloudmarkCSODeakin UniversityDeakin UniversityEUFederal Trade CommissionHPKasperskyKasperskyMacquarie UniversityMacquarie UniversityMicrosoftNational Security AgencyOracleSymantecTrend Micro AustraliaUS Federal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts